Hi, I am a newbie to SPL. I am trying to write a regex that will extract the unix/windows path from the full_log field. I am having no luck with that. Can you please help? The following regex is for Windows. Thank you for your help.
index="newindx" agent.name="*-svrname-*" "*checksum*" | rex field=full_log "^File\s+(?<checksum_changed>^\'[a-zA-Z]:\\[\\\S|*\S]?.*'$)\s+checksum\s+changed.+" full_log: File '/apps/data/db.data' checksum changed. full_log: File 'c:\windows\system32\xpsservices.dll' checksum changed.
... | rex field=full_log "File '(?<path>.*)[\\\/]\w+\.\w+'". If that doesn't work, you may need more escape characters so try
...| rex field=full_log "File '(?<path>.*)[\\\\\/]\w+\.\w+'".
Keep it simple!
rex field=full_log "^full_log:\sFile\s'(?<filename>[^']+)'\schecksum changed\."
Rather than trying to guess all legal characters, why not just tell rex "anything but a single quote" ?
This strategy will save you a lot of time, improve readability, and make your extractions much more durable.
See regex: https://regex101.com/r/iz1eYY/1